Baidu Search Toolbar Tapped to Steal Data

The toolbar distributed by Chinese-language search engine Baidu is being targeted by opportunistic attackers and used to exfiltrate corporate secrets, says Rob Eggebrecht, president and CEO of security firm InteliSecure.

Baidu, like all major search engines, including Bing, Google and Yahoo, distributes a toolbar that can be used to speed up searches. But Eggebrecht says that multiple organizations have traced data breaches to an intrusion that began when outside attackers used the Baidu toolbar to sneak data-stealing malware into their enterprise. Without naming names, he says that one recent victim was a U.S. pharmaceutical firm, from which attackers compromised research and development work worth hundreds of millions of dollars.

His firm believes that the attacks trace back to individuals associated with the Chinese government. "Our take on it, not trying to directly pick on the Chinese, is that ... when users hit certain links, attackers drop down ... malware, or phone-home technology, that starts capturing information."

Eggebrecht says the toolbar-enabled data exfiltration comes at a time when his firm has witnessed a spike in attacks against corporate networks - and not just those targeting toolbars - by what appear to be attackers with ties to China. To date, however, hacking U.S. organizations seems to trigger few - if any - penalties against either Chinese individuals or the government itself (see Sea-to-Sea: China Hacks in U.S.).

Reached after business hours in China, a Baidu spokesman tells Information Security Media Group that the company's security team will investigate InteliSecure's hack-attack claims, but he could not yet offer additional comment.

U.S. law enforcement officials have begun sounding China-related hacking warnings (see OPM Breach: China Is 'Leading Suspect'). FBI Assistant Director Randall Coleman, who runs the bureau's counterintelligence division, said last week during a call with reporters that China's intelligence activities are "as aggressive now as they've ever been" and that the bureau in 2014 investigated "hundreds" of suspected cases of corporate espionage launched on behalf of China, The Daily Beast reports. "The predominant threat we face right now is from China," he said.

An Opportunistic Attack Option

APT-style attacks - often beginning with a phishing email, and relying on targets to execute attachments and thus infect their systems with malware - are seen as the hallmark of corporate espionage. But attackers have never been averse to employing simpler options, when available. And some are now tapping Baidu search engine toolbars, which many Chinese expatriates who work in the United States have installed in their browser.

Some organizations breached in the past year have employed a number of Chinese expatriates living in the U.S. or Europe, Eggebrecht notes. Not coincidentally, some employees at these firms had also installed the Chinese-language Baidu search toolbar, he adds.

Targeting the toolbar "was an opportunistic way for the Chinese government to capture information in a very nonchalant manner, because ... they know they have a good expat user base in the research community" that is going to rely on a Chinese-language search engine, Eggebrecht says.

Time to Block Toolbars?

All browser toolbars should be blocked by default, says Alan Woodward, a computer science visiting professor at the University of Surrey, and a cybersecurity adviser to Europol, the association of European police agencies. "These so-called 'helper' add-ins, I mean, god knows what they're doing," he says. "It's a well-known attack vector."

But beyond the search giants, technology firms such as Adobe and Oracle - with Java - also try and push either their own toolbars, or third-party toolbars, such as Ask. "Vendors have got to stop that," Woodward says.

Alan Woodward discusses the threat posted by search toolbars.

Corporate Espionage Too

Eggebrecht says attackers have not just been targeting military or defense-sector secrets, but also "consumer goods, and the branding and marketing for that," he says. "They're not interested in building Coca-Cola. They want to build up their own brands." To do that, he says, it appears that the Baidu toolbar hackers are attempting "to capture bulk data" from the PCs of users working in specific fields or industries, so they can sift through that data and see what secrets it might reveal.

Until organizations get savvy about these types of attacks, they're putting themselves at risk, says information security consultant William Hugh Murray, who's an associate professor at the Naval Postgraduate School. In a recent SANS newsletter he writes: "Historically, most enterprises have not considered that threat sources directed at them would enjoy the resources of a nation state. That has changed. If your business holds intellectual property - e.g., business plans, designs, processes, methods - of your own or others, that might be useful to a competitor - or a potential partner in China - your threat assumption must include industrial espionage by a nation state on behalf of a potential competitor."

Toolbar Threat Remains

Because InteliSecure's digital forensic investigations at hacked organizations have traced back numerous data breaches to intrusions that opportunistically targeted the Baidu toolbar, the firm is urging its customers to begin blocking the Baidu search bar. But Eggebrecht says that not everyone has heeded those warnings. "We're getting pushback from some of our customers who have large R&D groups who have Chinese nationals. They say: 'These are our researchers, they've done good work, we've done background checks on them, we're watching their behavior closely.'"

Of course, that response misses the point, he says. "It's the double edge of security services: we want to be protected, but don't slow us down. And unless you have concrete proof, then we're not going to do anything about it."

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;